On May 7, 2021, Colonial Pipeline Company (“Colonial”) experienced a cybersecurity breach that led to the shut-down of its entire gasoline pipeline network for the first time in Colonial’s 57-year history. A Russian-linked cybercrime group known as DarkSide is thought to be the culprit behind the attack. Darkside allegedly accessed sensitive data on Colonial’s network using old employee login information purchased on the dark web, and then held this data for ransom until Colonial paid $4.4 million in cryptocurrency. Fortunately, in June, the U.S. Department of Justice was able to recover $2.3 million of the ransom. The Department of Homeland Security (“DHS”), the United States House of Representatives (“House”), and the Biden Administration quickly responded with directives, proposed legislation, and plans to combat future cyber-attacks on the country’s energy infrastructure.
On May 27, 2021, the Department of Homeland Security’s Transportation Security Administration (“TSA”) announced a new directive designed to enable the DHS to better identify, protect against, and respond to threats affecting critical companies in the pipeline sector. This directive requires critical pipeline owners and operators to: (1) report confirmed and potential cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 12 hours of a cyberbreach discovery; (2) designate a Cybersecurity Coordinator with 24/7 availability; (3) review current practices; and (4) identify any gaps and related remediation to address cyber-related risks and report the results to the TSA and CISA within 30 days. If a company cannot comply with this directive, it must notify the TSA in writing, and seek approval for alternative cybersecurity methods. On July 20, 2021, the DHS and TSA issued a second directive requiring owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a series of urgent safeguards against cyber intrusions, develop and implement a cybersecurity recovery plan, and review existing cybersecurity-architecture designs.
In July, the House approved three bills aimed at improving cybersecurity in the U.S. energy industry: (1) the Energy Emergency Leadership Act (“H.R. 3119”); the Enhancing Grid Security through Public-Private Partnerships Act (“H.R. 2931”); and the Cyber Sense Act of 2021 (“H.R. 2928”). The proposed legislation is a direct response to recent cyberattacks aimed at U.S. infrastructure, like the ransomware attack on Colonial earlier this year. H.R. 3119 would direct the Secretary of Energy to assign energy emergency and cybersecurity responsibilities pertaining to infrastructure and cybersecurity to an assistant secretary, a position created to boost energy security as a core responsibility of the U.S. Department of Energy (“DOE”). H.R. 2931 would direct the Secretary of Energy to create a new program encouraging public-private partnerships, to enhance the physical and cybersecurity of electric utilities. Such cooperation is essential to address and mitigate risk to electric utilities in a nation that is highly dependent on the electrical grid. Finally, H.R. 2928 aims to reinforce the U.S. electrical grid by promoting a coordinated effort between the DOE and electric utilities by creating a program to test the cybersecurity of technology implemented for use in related facilities and control systems. These bills are currently before the U.S. Senate and should be presented for a vote in the upcoming months.
On July 28, 2021, the Biden Administration released the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, making the protection of the nation’s vulnerable, critical infrastructures a part of the administration’s official policy. The memo also announced the forthcoming establishment of an Industrial Control Systems Cybersecurity Initiative between the federal government and the critical infrastructure community, aimed primarily at increasing U.S. cybersecurity by facilitating the deployment of protective technologies and systems in the critical infrastructure sector. Participation in the initiative is currently voluntary, and the U.S. Secretary of Homeland Security is expected to establish the initiative’s preliminary cybersecurity performance goals for control systems no later than September 22, 2021.
Kuiper Law Firm, PLLC specializes in oil and gas; and will continue to monitor legislation affecting the industry. If you have any questions about the information in this article, do not hesitate to contact us.